Reverse Engineering Packet Structures Through The Client?

**AcarX** · 15-04-16

I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.

**dTantra** · 15-04-16

Originally Posted by AcarX

I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.

If that is the goal, you are in for a long hard trip, as most games do not leave enough information to "easily" pull structure data from ASM.

Most of the time it simply compiles the data for each opcode function and copies it to a reserved set of memory that was created based on the final packet size. That memory location is than usually pushed to whatever function handles the encryption if any is present.

So really what you are looking at doing is a ton of reverse engineering to go step by step as a particular packet is received and handled to see what kind of data that it pulls off and an attempts to see what it does with that data. This is usually why people take large dumps of packets and analyze them so they can see the exact data in use and modify it as they need to see the desired effect.

Ill use another game as an example.

Here is the packet data for character deletion, decrypted of course.

Code:

12 00 18 05 02 00 00 00  06 33 34 35 33 34 35 00  ........  .345345.
2E 1A                                             ..

I know from working with the game for a few days that the opcode for the function is 0x0518

Here is the function in game that creates that packet.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00818E10  /$  55            PUSH EBP                                 ; GDMO.00818E10(guessed Arg1,Arg2)
00818E11  |.  8BEC          MOV EBP,ESP
00818E13  |.  51            PUSH ECX
00818E14  |.  894D FC       MOV DWORD PTR SS:[LOCAL.1],ECX
00818E17  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
00818E1C  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E1F  |.  E8 DC86C0FF   CALL 00421500                            ; \GDMO.00421500
00818E24  |.  8B45 08       MOV EAX,DWORD PTR SS:[ARG.1]
00818E27  |.  50            PUSH EAX                                 ; /Arg1 => [ARG.1]
00818E28  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E2B  |.  E8 507DC0FF   CALL 00420B80                            ; \GDMO.00420B80
00818E30  |.  8B4D 0C       MOV ECX,DWORD PTR SS:[ARG.2]
00818E33  |.  51            PUSH ECX                                 ; /Arg1 => [ARG.2]
00818E34  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E37  |.  E8 1488C0FF   CALL 00421650                            ; \GDMO.00421650
00818E3C  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
00818E41  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E44  |.  E8 9786C0FF   CALL 004214E0                            ; \GDMO.004214E0
00818E49  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]
00818E4C  |.  E8 0F81C0FF   CALL 00420F60                            ; [GDMO.00420F60
00818E51  |.  8BE5          MOV ESP,EBP
00818E53  |.  5D            POP EBP
00818E54  \.  C2 0800       RETN 8

Can you tell what the structure of the above packet is by looking at the dump?

How about with this?

Code:

int __thiscall sub_818E10(void *this, char Src, wchar_t *Str)
{
  void *v3; // ST04_4@1

  v3 = this;
  sub_421500((int)this, 1304);
  sub_420B80(Src);
  sub_421650(Str);
  sub_4214E0(v3, 1304);
  return sub_420F60(v3);
}

I know the structure of the above packet and code, it basically breaks down to this.

Code:

#pragma pack(push, 1)
struct  MSG_REQUEST_CHAR_DELETE
{          
    WORD pSize;       //Packet Size
    WORD pFunction;   //Packet Function
    DWORD cNumber;    //Character slot to delete
    BYTE nSize;       //Size of character name
    CHAR * cEmail;    //Email address to verify delete
    BYTE bPad;        //0x00 for padding
    WORD sWord;       //Security bytes for packet.
};
#pragma pack(pop)

So I guess my final point is this, unless you are very intimate with the game in question, it is going to be difficult to do what you want, and my advice is to learn from the packets first and than perhaps eventually you will be able to spot them in ASM. I usually dump the packets first, than if I find one that interests me that I cannot figure out without looking at the ASM, I search for the opcode for the function and just debug it as it processes that particular packet.

Sorry if this is not what you wanted, I am just trying to save you some time.

//Edit

This is a overly simplified example, the code above is now the complete code used to handle the deletion, it is simply the building of the packet. Prior steps include parsing the email entry and verifying the size etc. of it.

- - - Updated - - -

Also if you want, I can see about creating a system that will dump the packets for you in their decrypted form, assuming the game is still live.

**AcarX** · 15-04-16

Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.

**dTantra** · 15-04-16

Originally Posted by AcarX

Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.

No problem, I figured I would pass along the offer.

**lastfun** · 17-04-16

@AcarX @dTantra
busy weekend, tomorrow we will continue..
together - we will win)))

**AcarX** · 18-04-16

Any time you want buddy I'm always here :)

**lastfun** · 19-04-16

encrypt function can be found here:

result:

function looks "terrible")))

Code:

int __stdcall sub_500B70(int a1, int *a2, unsigned int *a3)
{
  int result; // eax@1
  unsigned int v4; // edx@1
  unsigned int v5; // ecx@1
  unsigned int v6; // edx@1
  unsigned int v7; // ecx@1
  unsigned int v8; // edx@1
  unsigned int v9; // ecx@1
  unsigned int v10; // edx@1
  unsigned int v11; // ecx@1
  unsigned int v12; // edx@1
  unsigned int v13; // ecx@1
  unsigned int v14; // edx@1
  unsigned int v15; // ecx@1
  unsigned int v16; // edx@1
  unsigned int v17; // ecx@1
  unsigned int v18; // edx@1
  unsigned int v19; // ecx@1
  int v20; // ebx@1
  unsigned __int8 v21; // bp@1
  int v22; // ecx@1

  result = a1;
  v4 = *a2 ^ *(a1 + 8);
  v5 = *a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                         + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                          + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104))));
  v6 = *(a1 + 16) ^ (*(a1
                     + 4
                     * (*a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                                          + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                                           + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104)))))
                     + 3152)
                   + (*(a1 + 4 * BYTE1(v5) + 2128) ^ (*(a1 + 4 * (v5 >> 24) + 80)
                                                    + *(a1 + 4 * ((v5 >> 16) & 0xFF) + 1104)))) ^ v4;
  v7 = *(a1 + 20) ^ (*(a1 + 4 * v6 + 3152)
                   + (*(a1 + 4 * BYTE1(v6) + 2128) ^ (*(a1 + 4 * (v6 >> 24) + 80)
                                                    + *(a1 + 4 * ((v6 >> 16) & 0xFF) + 1104)))) ^ v5;
  v8 = *(a1 + 24) ^ (*(a1 + 4 * v7 + 3152)
                   + (*(a1 + 4 * BYTE1(v7) + 2128) ^ (*(a1 + 4 * (v7 >> 24) + 80)
                                                    + *(a1 + 4 * ((v7 >> 16) & 0xFF) + 1104)))) ^ v6;
  v9 = *(a1 + 28) ^ (*(a1 + 4 * v8 + 3152)
                   + (*(a1 + 4 * BYTE1(v8) + 2128) ^ (*(a1 + 4 * (v8 >> 24) + 80)
                                                    + *(a1 + 4 * ((v8 >> 16) & 0xFF) + 1104)))) ^ v7;
  v10 = *(a1 + 32) ^ (*(a1 + 4 * v9 + 3152)
                    + (*(a1 + 4 * BYTE1(v9) + 2128) ^ (*(a1 + 4 * (v9 >> 24) + 80)
                                                     + *(a1 + 4 * ((v9 >> 16) & 0xFF) + 1104)))) ^ v8;
  v11 = *(a1 + 36) ^ (*(a1 + 4 * v10 + 3152)
                    + (*(a1 + 4 * BYTE1(v10) + 2128) ^ (*(a1 + 4 * (v10 >> 24) + 80)
                                                      + *(a1 + 4 * ((v10 >> 16) & 0xFF) + 1104)))) ^ v9;
  v12 = *(a1 + 40) ^ (*(a1 + 4 * v11 + 3152)
                    + (*(a1 + 4 * BYTE1(v11) + 2128) ^ (*(a1 + 4 * (v11 >> 24) + 80)
                                                      + *(a1 + 4 * ((v11 >> 16) & 0xFF) + 1104)))) ^ v10;
  v13 = *(a1 + 44) ^ (*(a1 + 4 * v12 + 3152)
                    + (*(a1 + 4 * BYTE1(v12) + 2128) ^ (*(a1 + 4 * (v12 >> 24) + 80)
                                                      + *(a1 + 4 * ((v12 >> 16) & 0xFF) + 1104)))) ^ v11;
  v14 = *(a1 + 48) ^ (*(a1 + 4 * v13 + 3152)
                    + (*(a1 + 4 * BYTE1(v13) + 2128) ^ (*(a1 + 4 * (v13 >> 24) + 80)
                                                      + *(a1 + 4 * ((v13 >> 16) & 0xFF) + 1104)))) ^ v12;
  v15 = *(a1 + 52) ^ (*(a1 + 4 * v14 + 3152)
                    + (*(a1 + 4 * BYTE1(v14) + 2128) ^ (*(a1 + 4 * (v14 >> 24) + 80)
                                                      + *(a1 + 4 * ((v14 >> 16) & 0xFF) + 1104)))) ^ v13;
  v16 = *(a1 + 56) ^ (*(a1 + 4 * v15 + 3152)
                    + (*(a1 + 4 * BYTE1(v15) + 2128) ^ (*(a1 + 4 * (v15 >> 24) + 80)
                                                      + *(a1 + 4 * ((v15 >> 16) & 0xFF) + 1104)))) ^ v14;
  v17 = *(a1 + 60) ^ (*(a1 + 4 * v16 + 3152)
                    + (*(a1 + 4 * BYTE1(v16) + 2128) ^ (*(a1 + 4 * (v16 >> 24) + 80)
                                                      + *(a1 + 4 * ((v16 >> 16) & 0xFF) + 1104)))) ^ v15;
  v18 = *(a1 + 64) ^ (*(a1 + 4 * v17 + 3152)
                    + (*(a1 + 4 * BYTE1(v17) + 2128) ^ (*(a1 + 4 * (v17 >> 24) + 80)
                                                      + *(a1 + 4 * ((v17 >> 16) & 0xFF) + 1104)))) ^ v16;
  v19 = *(a1 + 68) ^ (*(a1 + 4 * v18 + 3152)
                    + (*(a1 + 4 * BYTE1(v18) + 2128) ^ (*(a1 + 4 * (v18 >> 24) + 80)
                                                      + *(a1 + 4 * ((v18 >> 16) & 0xFF) + 1104)))) ^ v17;
  v20 = *(a1 + 4 * BYTE1(v19) + 2128) ^ (*(a1 + 4 * (v19 >> 24) + 80) + *(a1 + 4 * ((v19 >> 16) & 0xFF) + 1104));
  v21 = v19;
  v22 = *(a1 + 76) ^ v19;
  *a3 = *(a1 + 72) ^ (*(a1 + 4 * v21 + 3152) + v20) ^ v18;
  *a2 = v22;
  return result;
}

**AcarX** · 19-04-16

Spot on as always. I've translated those to C couple months back so I can save you the trouble.
Crypto.h

**jonnybravo** · 19-04-16

Yep that be it got the same thing its just a simple XOR over XOR.

Was cracked back in 2007 i believe.

**zarut** · 25-06-16

One way to analyze packets from client only is to hook the functions that write the bytes and makes the packet. This way you can basically just sniff the packet while being created and get the structure same time, however this wont tell you what all the bytes represent but it would speed up analyzing them as you dont have to figure the structure out yourself.

**AcarX** · 25-06-16

Originally Posted by zarut

hook the functions that write the bytes and makes the packet

Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

Code:

lea edx, [buffer_addr + offset]
mov [edx], 5

Incase my assembly isn't correct, here's what I mean in C:
buffer[offset] = 5;

**zarut** · 28-06-16

Originally Posted by AcarX

Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

Code:

lea edx, [buffer_addr + offset]
mov [edx], 5

Incase my assembly isn't correct, here's what I mean in C:
buffer[offset] = 5;

Here is a tutorial how its accomplished in silkroad:
https://github.com/florian0/swiftnes...ts-in-Silkroad

Reverse Engineering Packet Structures Through The Client?

Thread Tools

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Re: Reverse Engineering Packet Structures Through The Client?

Advertisement